-
python3.8 (3.8.10-0ubuntu1~20.04.9) focal-security; urgency=medium
* SECURITY UPDATE: TLS handshake bypass
- debian/patches/CVE-2023-40217.patch: avoid ssl pre-close flaw in ssl.py.
- CVE-2023-40217
-- Fabian Toepfer <email address hidden> Wed, 22 Nov 2023 11:22:35 +0100
-
python3.8 (3.8.10-0ubuntu1~20.04.8) focal-security; urgency=medium
* SECURITY UPDATE: Possible Bypass Blocklisting
- debian/patches/CVE-2023-24329-2.patch: adds a complementary patch/fix
for CVE-2023-24329 that was partially fixed before. This patch starts
stripping C0 control and space chars in 'urlsplit' in Lib/urllib/parse.py,
Lib/test/test_urlparse.py.
- CVE-2023-24329
-- Leonidas Da Silva Barbosa <email address hidden> Fri, 26 May 2023 11:05:08 -0300
-
python3.8 (3.8.10-0ubuntu1~20.04.7) focal-security; urgency=medium
* SECURITY UPDATE: Possible Bypass Blocklisting
- debian/patches/CVE-2023-24329.patch: enforce
that a scheme must begin with an alphabetical ASCII character
in Lib/urllib/parse.py, Lib/test/test_urlparse.py.
- CVE-2023-24329
-- Leonidas Da Silva Barbosa <email address hidden> Mon, 13 Mar 2023 07:26:41 -0300
-
python3.8 (3.8.10-0ubuntu1~20.04.6) focal-security; urgency=medium
* SECURITY UPDATE: Buffer overflow
- debian/patches/CVE-2022-37454.patch: fixes buffer overflow in
Modules/_sha3/kcp/KeccakSponge.inc.
* SECURITY UPDATE: Denial of service
- debian/patches/CVE-2022-45061.patch: fix quadratic time idna
decoding in Lib/encodings/idna.py.
-- Leonidas Da Silva Barbosa <email address hidden> Mon, 14 Nov 2022 09:59:47 -0300
-
python3.8 (3.8.10-0ubuntu1~20.04.5) focal-security; urgency=medium
* SECURITY UPDATE: Injection Attack
- debian/patches/CVE-2015-20107.patch: Make mailcap refuse to match unsafe
filenames/types/param in Lib/mailcap.py, Lib/test/test_mailcap.py.
- CVE-2015-20107
-- Leonidas Da Silva Barbosa <email address hidden> Wed, 22 Jun 2022 17:18:18 -0300
-
python3.8 (3.8.10-0ubuntu1~20.04.4) focal-security; urgency=medium
* SECURITY UPDATE: Injection Attack
- debian/patches/CVE-2022-0391.patch: sanitize urls in urllib.parse
when it containing ASCII newline and tabs in
Doc/library/urllib.parse.rst, Lib/test/test_urlparse.py,
Lib/urllib/parse.py.
- CVE-2022-0391
* Skipping test_idle in riscv64 arch
- debian/rules: adding test_idle to TEST_EXCLUDES in riscv64 arch due it
hangs in build time.
-- Leonidas Da Silva Barbosa <email address hidden> Tue, 15 Mar 2022 09:22:08 -0300
-
python3.8 (3.8.10-0ubuntu1~20.04.2) focal-security; urgency=medium
* SECURITY UPDATE: Denial of Service
- debian/patches/CVE-2021-3737.patch: addresses the potential for the
urllib http client to enter into an infinite loop and hang on a 100
Continue response from a malicious server.
- debian/patches/CVE-2021-3737_test-fix.patch: improves the regression
test in Lib/test/test_httplib.py
- CVE-2021-3737_test-fix.patch
-- Ian Constantin <email address hidden> Fri, 26 Nov 2021 15:14:08 -0500
-
python3.8 (3.8.10-0ubuntu1~20.04.1) focal-security; urgency=medium
[ Marc Deslauriers ]
* SECURITY UPDATE: improper handling of octal strings in ipaddress
- debian/patches/CVE-2021-29921.patch: no longer tolerate leading zeros
in IPv4 addresses in Lib/ipaddress.py, Lib/test/test_ipaddress.py.
- CVE-2021-29921
-- Leonidas Da Silva Barbosa <email address hidden> Tue, 28 Sep 2021 13:10:42 -0300
-
python3.8 (3.8.10-0ubuntu1~20.04) focal-proposed; urgency=medium
* SRU: LP: #1928057. Backport Python 3.8.10 to 20.04 LTS.
* Python 3.8.10 release.
* Refresh patches.
* Call python with -S when checking the minimal set of modules.
* Try to detect whether python3-venv is missing (Stefano Rivera).
Addresses: #977887.
* Build a python3.8-full package.
python3.8 (3.8.9-1) UNRELEASED; urgency=medium
* Python 3.8.9 release.
python3.8 (3.8.7-1) unstable; urgency=medium
* Python 3.8.7 release.
python3.8 (3.8.7~rc1-1) unstable; urgency=medium
* Python 3.8.7 release candidate 1.
* Bump standards and debhelper versions.
* Don't expect the test_ttk_textonly test to pass.
* Add python3-tk test dependency for the failing-tests* autopkg tests.
* Update symbols files.
python3.8 (3.8.6-1) unstable; urgency=medium
* Python 3.8.6 release.
python3.8 (3.8.6~rc1-1) unstable; urgency=medium
* Python 3.8.6 release candidate 1.
python3.8 (3.8.5-2) unstable; urgency=medium
* Don't build with system mpdecimal, which will be updated to 2.5,
not compatible with Python 3.8.
python3.8 (3.8.5-1) unstable; urgency=medium
* Python 3.8.5 release.
- Fix issue 41295, regression on __setattr__ in multiinheritance with
metaclasses. Closes: #965069.
-- Matthias Klose <email address hidden> Wed, 02 Jun 2021 12:49:15 +0200
-
python3.8 (3.8.5-1~20.04.3) focal-security; urgency=medium
* SECURITY UPDATE: improper handling of octal strings in ipaddress
- debian/patches/CVE-2021-29921.patch: no longer tolerate leading zeros
in IPv4 addresses in Lib/ipaddress.py, Lib/test/test_ipaddress.py.
- CVE-2021-29921
-- Marc Deslauriers <email address hidden> Thu, 27 May 2021 09:30:53 -0400
-
python3.8 (3.8.5-1~20.04.2) focal-security; urgency=medium
* SECURITY UPDATE: Code execution from content received via HTTP
- debian/patches/CVE-2020-27619-3.8.patch: no longer call eval() on
content received via HTTP in Lib/test/multibytecodec_support.py.
- CVE-2020-27619
* SECURITY UPDATE: Buffer overflow
- debian/patches/CVE-2021-3177-3.8.patch: replace snprintf with Python unicode
formatting in ctypes param reprs in Lib/ctypes/test/test_parameters.py,
Modules/_ctypes/callproc.c.
- CVE-2021-3177
* Skipping test_idle in riscv64 arch
- debian/rules: adding test_idle to TEST_EXCLUDES in riscv64 arch due it
hangs in build time.
-- Leonidas Da Silva Barbosa <email address hidden> Wed, 27 Jan 2021 12:41:15 -0300
-
python3.8 (3.8.5-1~20.04) focal-proposed; urgency=medium
* SRU: LP: #1889218. Backport Python 3.8.5 to 20.04 LTS.
python3.8 (3.8.5-1) unstable; urgency=medium
* Python 3.8.5 release.
- Fix issue 41295, regression on __setattr__ in multiinheritance with
metaclasses. Closes: #965069.
python3.8 (3.8.4-1) unstable; urgency=medium
* Python 3.8.4 release.
* Update VCS attributes in the control file.
python3.8 (3.8.4~rc1-1) unstable; urgency=medium
* Python 3.8.4 release candidate 1.
python3.8 (3.8.3-1) unstable; urgency=medium
* Python 3.8.3 release.
* Add XB-Cnf-Visible-Pkgname header on the python*-minimal package to
point command-not-found at the full one. LP: #1867157
python3.8 (3.8.3~rc1-1) unstable; urgency=medium
* Python 3.8.3 release candidate 1.
- Issue #38576, CVE-2019-18348: Disallow control characters in hostnames
in http.client.
- Issue #39503, CVE-2020-8492: Denial of service in
urllib.request.AbstractBasicAuthHandler.
-- Matthias Klose <email address hidden> Tue, 28 Jul 2020 14:59:40 +0200
-
python3.8 (3.8.2-1ubuntu1.2) focal-security; urgency=medium
* SECURITY UPDATE: Infinite loop
- debian/patches/CVE-2019-20907.patch: avoid infinite loop in the
tarfile module in Lib/tarfile.py, Lib/test/test_tarfile.py and add
Lib/test/recursion.tar binary for test.
- CVE-2019-20907
* SECURITY UPDATE: Denial of service
- debian/patches/CVE-2020-14422.patch: Resolve hash collisions for
IPv4Interface and IPv6Interface in Lib/ipaddress.py,
Lib/test/test_ipaddress.py.
- CVE-2020-14422
-- <email address hidden> (Leonidas S. Barbosa) Thu, 16 Jul 2020 11:00:26 -0300
-
python3.8 (3.8.2-1ubuntu1.1) focal-security; urgency=medium
* SECURITY UPDATE: CRLF injection
- debian/patches/CVE-2019-18348.patch: disallow control characters
in hostnames in http.client in Lib/http/client.py, Lib/test/test_*.py.
- CVE-2019-18348
* SECURITY UPDATE: Denial of service
- debian/patches/CVE-2020-8492.patch: fix the regex to prevent
the regex denial of service in Lib/urllib/request.py,
- CVE-2020-8492
-- <email address hidden> (Leonidas S. Barbosa) Mon, 27 Apr 2020 12:53:34 -0300
-
python3.8 (3.8.2-1ubuntu1) focal; urgency=medium
* Add XB-Cnf-Visible-Pkgname header on the python*-minimal package to
point command-not-found at the full one. LP: #1867157
-- Dimitri John Ledkov <email address hidden> Fri, 13 Mar 2020 10:14:16 +0000
-
python3.8 (3.8.2-1) unstable; urgency=medium
* Python 3.8.2 release.
-- Matthias Klose <email address hidden> Tue, 25 Feb 2020 14:04:52 +0100
-
python3.8 (3.8.2~rc2-2) unstable; urgency=medium
* Ignore some autopkg test failures:
- test_ssl: Fails with OPENSSL_TLS_SECURITY_LEVEL=2.
- test_io: Fails on Ubuntu's autopkg test infrastructure.
- Lower OpenSSL security level from 2 to 1 during testing as test_ssl
assumes that (Dimitri John Ledkov).
-- Matthias Klose <email address hidden> Fri, 21 Feb 2020 12:37:41 +0100
-
python3.8 (3.8.2~rc2-1) unstable; urgency=medium
* Python 3.8.2 release candidate 2.
-- Matthias Klose <email address hidden> Tue, 18 Feb 2020 11:16:50 +0100
-
python3.8 (3.8.2~rc1-1ubuntu1) focal; urgency=medium
* Merge with Debian; remaining changes:
- Ignore some autopkg tests:
- test_ssl: Fails with OPENSSL_TLS_SECURITY_LEVEL=2.
- test_io: Fails on Ubuntu's autopkg test infrastructure.
- Lower OpenSSL security level from 2 to 1 during testing as test_ssl
assumes that.
- Disable the LTO build on armhf.
python3.8 (3.8.2~rc1-1) unstable; urgency=medium
* Python 3.8.2 release candidate 1.
* Make autopkgtests cross-test-friendly (Steve Langasek).
* Bump standards version.
-- Matthias Klose <email address hidden> Wed, 12 Feb 2020 01:06:56 +0100
-
python3.8 (3.8.1-2ubuntu3) focal; urgency=medium
* Disable the LTO build on armhf.
-- Matthias Klose <email address hidden> Thu, 16 Jan 2020 19:22:01 +0100
-
python3.8 (3.8.1-2ubuntu2) focal; urgency=medium
* Lower OpenSSL security level from 2 to 1 during testing as test_ssl
assumes that.
-- Dimitri John Ledkov <email address hidden> Wed, 15 Jan 2020 23:54:08 +0000
-
python3.8 (3.8.1-2ubuntu1) focal; urgency=medium
* Ignore some autopkg tests:
- test_ssl: Fails with OPENSSL_TLS_SECURITY_LEVEL=2.
- tst_io: Fails on Ubuntu's autopkg test infrastructure.
-- Matthias Klose <email address hidden> Mon, 13 Jan 2020 09:50:33 +0100
-
python3.8 (3.8.1-2) unstable; urgency=medium
* Fix KFreeBSD builds (James Cowgill).
-- Matthias Klose <email address hidden> Mon, 06 Jan 2020 09:48:53 +0100
-
python3.8 (3.8.1-1) unstable; urgency=medium
* Python 3.8.1 release.
-- Matthias Klose <email address hidden> Thu, 19 Dec 2019 10:21:09 +0100
-
python3.8 (3.8.1~rc1-1) unstable; urgency=medium
* Python 3.8.1 release candidate 1.
-- Matthias Klose <email address hidden> Tue, 10 Dec 2019 10:38:12 +0100
-
python3.8 (3.8.0-5) unstable; urgency=medium
* Update to 20191123 from the 3.8 branch.
* libpython3.8-dbg: Provide a python-$(VER)-dbg-embed.pc pkg-config file.
Closes: #944852.
-- Matthias Klose <email address hidden> Sat, 23 Nov 2019 05:55:55 +0100
-
python3.8 (3.8.0-4) unstable; urgency=medium
* Move the test/ann_module{,2,3} modules into libpython-stdlib.
Closes: #944303.
* Annote python-examples dependency on python.
-- Matthias Klose <email address hidden> Thu, 07 Nov 2019 16:14:28 +0100
-
python3.8 (3.8.0-3) unstable; urgency=medium
* python3.8-dev: Depend on zlib1g-dev, needed to link as an
embedded interpreter.
-- Matthias Klose <email address hidden> Sun, 27 Oct 2019 17:36:55 +0200
-
python3.8 (3.8.0-2) unstable; urgency=medium
* Fix a symlink to the shared debug library.
* Install the python3.8d-embed pkg-config file.
* Don't ship the python3-embed pkg-config file.
-- Matthias Klose <email address hidden> Sun, 20 Oct 2019 18:00:25 +0200
-
python3.8 (3.8.0-1) unstable; urgency=medium
* Python 3.8.0 release.
-- Matthias Klose <email address hidden> Tue, 15 Oct 2019 11:10:20 +0200
